Real-Time Monitoring Alert Chaining, Root Cause Analysis, and Optimization

ABSTRACT

Managing real-time monitoring alerts is provided. An alert is generated for one or more metrics exceeding corresponding defined metric threshold values. A root cause dependency table showing relationships between alerts is retrieved. It is determined whether current real-time metrics are needed from one or more monitoring agents that correspond to dependent alerts not triggered in an alert chain of the generated alert based on information in the root cause dependency table. In response to determining that the current real-time metrics are needed from the one or more monitoring agents that correspond to the dependent alerts not triggered in the alert chain of the generated alert based on the information in the root cause dependency table, the current real-time metrics are requested from the one or more monitoring agents that correspond to the dependent alerts not triggered in the alert chain.

BACKGROUND 1. Field

The disclosure relates generally to cloud environment monitoring andmore specifically to managing real-time cloud environment componentmonitoring alerts in a chain of alerts, analyzing alerts in the chain ofalerts to determine a root cause of the alerts having dependent alertrelationships, and optimizing a root cause dependency table and amonitoring component corresponding to the cloud environment based on theanalysis of the root cause alert chain.

2. Description of the Related Art

A cloud monitoring system may generate thousands of alerts every day,which is known as an “alert storm”. It is difficult for systemadministrators to process all of these alerts. Further, it becomes moredifficult for system administrators when there are multiple cloudenvironments, such as, for example, tens or even hundreds of cloudenvironments, needing attention based on these alerts. Aggregation anddependency analysis of alerts are straightforward ways to solve thealert storm problem by analyzing historical alert data. However, in areal production system, the alerts based on historical data may betotally inaccurate. Different monitoring intervals of different monitorsare a problem in cloud environments. The problem is that static alertaggregation does not provide a full picture of alert dependenciesbecause one or more dependent alerts may not have been triggered yet.Thus, the cloud monitoring system has to wait for outstanding dependentalerts to arrive or send an inaccurate or incomplete root cause alertchain based on the static alert historical data.

Further, noise is another problem in monitoring cloud environments. Whenalerts are triggered, a downstream alert analysis system may get amultitude of unreasonable or confusing alerts, which are monitoringnoise. Furthermore, one alert may be caused by another alert when thetwo alerts have an alert dependency relationship between them. Inaddition, several different alerts may be caused by the same problem.For example, all network transactions depend on a network functioningproperly. If the network fails, then alerts are sent out to systemadministrators. However, a system administrator working on solving thenetwork problem would be distracted by receiving a multitude oftransaction failure alerts due to the network being down.

SUMMARY

According to one illustrative embodiment, a computer-implemented methodfor managing real-time monitoring alerts is provided. A computergenerates an alert for one or more metrics exceeding correspondingdefined metric threshold values. The computer retrieves a root causedependency table showing relationships between alerts. The computerdetermines whether current real-time metrics are needed from one or moremonitoring agents that correspond to dependent alerts not triggered inan alert chain of the generated alert based on information in the rootcause dependency table. In response to the computer determining that thecurrent real-time metrics are needed from the one or more monitoringagents that correspond to the dependent alerts not triggered in thealert chain of the generated alert based on the information in the rootcause dependency table, the computer requests the current real-timemetrics from the one or more monitoring agents that correspond to thedependent alerts not triggered in the alert chain. According to otherillustrative embodiments, a computer system and computer program productfor managing real-time monitoring alerts are provided.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a pictorial representation of a network of data processingsystems in which illustrative embodiments may be implemented;

FIG. 2 is a diagram of a data processing system in which illustrativeembodiments may be implemented;

FIG. 3 is a diagram illustrating a cloud computing environment in whichillustrative embodiments may be implemented;

FIG. 4 is a diagram illustrating an example of abstraction layers of acloud computing environment in accordance with an illustrativeembodiment;

FIG. 5 is a diagram illustrating an example of an alert managementsystem in accordance with an illustrative embodiment;

FIG. 6 is a sequence diagram illustrating a process for managingreal-time monitoring alerts in accordance with an illustrativeembodiment;

FIG. 7 is a diagram illustrating an example of alert relationships inaccordance with an illustrative embodiment; and

FIGS. 8A-8B are a flowchart illustrating a process for managingreal-time monitoring alerts in accordance with an illustrativeembodiment.

DETAILED DESCRIPTION

The present invention may be a system, a method, and/or a computerprogram product at any possible technical detail level of integration.The computer program product may include a computer readable storagemedium (or media) having computer readable program instructions thereonfor causing a processor to carry out aspects of the present invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, configuration data for integrated circuitry, oreither source code or object code written in any combination of one ormore programming languages, including an object oriented programminglanguage such as Smalltalk, C++, or the like, and procedural programminglanguages, such as the “C” programming language or similar programminglanguages. The computer readable program instructions may executeentirely on the user's computer, partly on the user's computer, as astand-alone software package, partly on the user's computer and partlyon a remote computer or entirely on the remote computer or server. Inthe latter scenario, the remote computer may be connected to the user'scomputer through any type of network, including a local area network(LAN) or a wide area network (WAN), or the connection may be made to anexternal computer (for example, through the Internet using an InternetService Provider). In some embodiments, electronic circuitry including,for example, programmable logic circuitry, field-programmable gatearrays (FPGA), or programmable logic arrays (PLA) may execute thecomputer readable program instructions by utilizing state information ofthe computer readable program instructions to personalize the electroniccircuitry, in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the blocks may occur out of theorder noted in the Figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

With reference now to the figures, and in particular, with reference toFIGS. 1-5, diagrams of data processing environments are provided inwhich illustrative embodiments may be implemented. It should beappreciated that FIGS. 1-5 are only meant as examples and are notintended to assert or imply any limitation with regard to theenvironments in which different embodiments may be implemented. Manymodifications to the depicted environments may be made.

FIG. 1 depicts a pictorial representation of a network of dataprocessing systems in which illustrative embodiments may be implemented.Network data processing system 100 is a network of computers, dataprocessing systems, and other devices in which the illustrativeembodiments may be implemented. Network data processing system 100contains network 102, which is the medium used to provide communicationslinks between the computers, data processing systems, and other devicesconnected together within network data processing system 100. Network102 may include connections, such as, for example, wire communicationlinks, wireless communication links, and fiber optic cables.

In the depicted example, server 104 and server 106 connect to network102, along with storage 108. Server 104 and server 106 may be, forexample, server computers with high-speed connections to network 102. Inaddition, server 104 and server 106 may provide services for managingreal-time monitoring alerts by analyzing alerts in a chain of alerts todetermine a root cause of the alerts having dependent alertrelationships based on a root cause dependency table. A root causedependency table identifies relationships among dependent monitoringalerts. Also, it should be noted that server 104 and server 106 may eachrepresent a plurality of different servers providing alert managementservices to clients.

Client 110, client 112, and client 114 also connect to network 102.Clients 110, 112, and 114 are clients of server 104 and server 106. Inaddition, server 104 and server 106 may provide information, such asboot files, operating system images, software applications, and clientcomponent monitoring agents to clients 110, 112, and 114. Server 104 andserver 106 utilize the monitoring agents to collect differentperformance metrics corresponding to the different components of clients110, 112, and 114 to determine if the components are working properly(e.g., without fault or issue).

In this example, clients 110, 112, and 114 are shown as desktop orpersonal computers. However, it should be noted that clients 110, 112,and 114 are intended as examples only. In other words, clients 110, 112,and 114 may include other types of data processing systems, such as, forexample, network computers, laptop computers, tablet computers, handheldcomputers, smart phones, smart watches, smart televisions, smartvehicles, smart wearable devices, such as smart glasses and smartexercise tracking devices, smart implants, such as smart heart monitorsand pacemakers, personal digital assistants, gaming devices, kiosks, andthe like. Further, it should be noted that clients 110, 112, and 114 mayeach represent a different cloud environment comprising a plurality ofdifferent data processing system devices.

Storage 108 is a network storage device capable of storing any type ofdata in a structured format or an unstructured format. In addition,storage 108 may represent a plurality of network storage devices.Further, storage 108 may store a plurality of defined metric thresholdvalues corresponding to a plurality of different client componentperformance metrics; lists of client components to be monitored; listsof monitoring agents corresponding to the client components; names andidentifiers for a plurality of client devices; root cause alert chains;root cause dependency tables, and the like. Furthermore, storage unit108 may store other types of data, such as authentication or credentialdata that may include user names, passwords, and biometric dataassociated with system administrators, for example.

In addition, it should be noted that network data processing system 100may include any number of additional servers, clients, storage devices,and other devices not shown. Program code located in network dataprocessing system 100 may be stored on a computer readable storagemedium and downloaded to a computer or other data processing device foruse. For example, program code may be stored on a computer readablestorage medium on server 104 and downloaded to client 110 over network102 for use on client 110.

In the depicted example, network data processing system 100 may beimplemented as a number of different types of communication networks,such as, for example, an internet, an intranet, a local area network(LAN), and a wide area network (WAN). FIG. 1 is intended as an exampleonly, and not as an architectural limitation for the differentillustrative embodiments.

With reference now to FIG. 2, a diagram of a data processing system isdepicted in accordance with an illustrative embodiment. Data processingsystem 200 is an example of a computer, such as server 104 in FIG. 1, inwhich computer readable program code or instructions implementingprocesses of illustrative embodiments may be located. In thisillustrative example, data processing system 200 includes communicationsfabric 202, which provides communications between processor unit 204,memory 206, persistent storage 208, communications unit 210,input/output (I/O) unit 212, and display 214.

Processor unit 204 serves to execute instructions for softwareapplications and programs that may be loaded into memory 206. Processorunit 204 may be a set of one or more hardware processor devices or maybe a multi-processor core, depending on the particular implementation.Further, processor unit 204 may be implemented using one or moreheterogeneous processor systems, in which a main processor is presentwith secondary processors on a single chip. As another illustrativeexample, processor unit 204 may be a symmetric multi-processor systemcontaining multiple processors of the same type.

Memory 206 and persistent storage 208 are examples of storage devices216. A computer readable storage device is any piece of hardware that iscapable of storing information, such as, for example, withoutlimitation, data, computer readable program code in functional form,and/or other suitable information either on a transient basis and/or apersistent basis. Further, a computer readable storage device excludes apropagation medium. Memory 206, in these examples, may be, for example,a random access memory, or any other suitable volatile or non-volatilestorage device. Persistent storage 208 may take various forms, dependingon the particular implementation. For example, persistent storage 208may contain one or more devices. For example, persistent storage 208 maybe a hard drive, a flash memory, a rewritable optical disk, a rewritablemagnetic tape, or some combination of the above. The media used bypersistent storage 208 may be removable. For example, a removable harddrive may be used for persistent storage 208.

In this example, persistent storage 208 stores alert manager 218.However, it should be noted that even though alert manager 218 isillustrated as residing in persistent storage 208, in an alternativeillustrative embodiment alert manager 218 may be a separate component ofdata processing system 200. For example, alert manager 218 may be ahardware component coupled to communication fabric 202 or a combinationof hardware and software components. In another alternative illustrativeembodiment, a first portion of the components of alert manager 218 maybe located in data processing system 200 and a second portion of thecomponents of alert manager 218 may be located in a client device, suchas client 110 in FIG. 1.

Alert manager 218 manages real-time cloud environment componentmonitoring alerts in a chain of alerts, analyzes the alerts in the chainto determine a root cause of the alerts having dependent alertrelationships, and optimizes a root cause dependency table and amonitoring component based on the analysis of the root cause alertchain. In this example, alert manager 218 includes monitoring component220, alert root cause analysis component 222, and altering component224. Cloud environment 226 represents a description of cloud environmentcomponents 228 that comprise cloud environment 226. Cloud environmentcomponents 228 represent a plurality of different components, such as,for example, computers, routers, data processing systems, storagedevices, applications, services, networks, and the like, within cloudenvironment 226.

Monitoring agents 230 represent a plurality of monitoring agents thatcollect metrics 232 corresponding to each of cloud environmentcomponents 228. Metrics 232 represent performance metrics collected bymonitoring agents 230 during operation of cloud environment components228. In other words, metrics 232 measure whether a cloud environmentcomponent is performing or operating within normal limits without issueor fault. In addition, the different metrics may be captured atdifferent time intervals. Also, it should be noted that monitoringagents 230 may perform intrusive or non-intrusive monitoring.

Monitoring agents 230 collect metrics 232 at metric collection timeintervals 234. Metric collection time intervals 234 represent aplurality of different specified metric collection times when monitoringagents 230 are to collect metrics 232. It should be noted that theplurality of different specified metric collection times may not occurat the same time. In other words, the specified time for collectingmetrics from one cloud environment component may be different from thespecified time for collecting metrics from another cloud environmentcomponent.

Monitoring component 220 utilizes metrics collector 234 to retrievemetrics 232 from monitoring agents 230 corresponding to cloudenvironment components 228 in cloud environment 226. Metrics collector234 processes metrics 232 by comparing metrics 232 to thresholds 236.Thresholds 236 represent a plurality of defined metric threshold valuesthat correspond to each metric in metrics 232. When metrics in metrics232 meet or exceed a corresponding metric threshold value in thresholds236, metrics collector generates raw alerts 238 for the out-of-rangemetrics. Metrics collector 234 sends raw alerts 238 to alert root causeanalysis component 222.

Alert root cause analysis component 222 includes analysis engine 240,alert engine 242, and optimizer engine 244. Alert root cause component222 utilizes analysis engine 240 to process raw alerts 238 based on rootcause dependency table 246 to identify the underlying dependenciesbetween alerts. Root cause dependency table 246 represents a logicaltable that describes dependent relationships between alerts. Inaddition, root cause dependency table 246 may represent a plurality ofdifferent root cause dependency tables corresponding to a plurality ofdifferent cloud environments. If analysis engine 240 determines thatcurrent real-time metrics are needed to generate root cause alert chain248 based on analyzing root cause dependency table 246, then analysisengine 240 initiates a metric collection request to alert engine 242.Alert engine 242 sends the metric collection request to correspondingmonitoring agents, whose metric collection time intervals haven't beenreached yet, to collect the current real-time metrics from correspondingcloud components.

After receiving and processing the additional metric data, analysisengine 240 generates root cause alert chain 248. Root cause alert chain248 represents a chain identifying alert dependencies and theircorresponding metric collection time sequences. In other words, rootcause alert chain 248 is complete containing information regarding allalerts in the chain regardless of having different metric collectiontime intervals. Analysis engine 240 sends root cause alert chain 248 tooptimizer engine 244. Optimizer engine 244 utilizes root cause alertchain 248 to learn the latest dependency relationships between alerts.After learning the latest dependency relationships between alerts,optimizer engine 244 optimizes root cause dependency table 246 byupdating root cause dependency table 246 to include the latestdependency relationships between alerts. Further, when optimizer engine244 determines that particular alerts are triggered too often or toomany times (e.g., too often or many times for system administrators toproperly process) within a pre-defined period of time, optimizer engine244 adjusts corresponding metric threshold levels in metrics collector234 to reduce the number of triggered alerts.

Analysis engine 240 also sends root cause alert chain 248 to alertengine 242. Alert engine 242 forwards root cause alert chain 248 toalerting component 224. Alerting component 224 generates root causealert chain alert 250, which includes root chain alert chain 248.Alerting component 224 transmits root cause alert chain alert 250 to oneor more system administrators for further analysis via email, page,and/or real-time message.

Communications unit 210, in this example, provides for communicationwith other computers, data processing systems, and devices via anetwork, such as network 102 in FIG. 1. Communications unit 210 mayprovide communications through the use of both physical and wirelesscommunications links. The physical communications link may utilize, forexample, a wire, cable, universal serial bus, or any other physicaltechnology to establish a physical communications link for dataprocessing system 200. The wireless communications link may utilize, forexample, shortwave, high frequency, ultra high frequency, microwave,wireless fidelity (Wi-Fi), Bluetooth® technology, global system formobile communications (GSM), code division multiple access (CDMA),second-generation (2G), third-generation (3G), fourth-generation (4G),4G Long Term Evolution (LTE), LTE Advanced, or any other wirelesscommunication technology or standard to establish a wirelesscommunications link for data processing system 200.

Input/output unit 212 allows for the input and output of data with otherdevices that may be connected to data processing system 200. Forexample, input/output unit 212 may provide a connection for user inputthrough a keypad, a keyboard, a mouse, and/or some other suitable inputdevice. Display 214 provides a mechanism to display information to auser and may include touch screen capabilities to allow the user to makeon-screen selections through user interfaces or input data, for example.

Instructions for the operating system, applications, and/or programs maybe located in storage devices 216, which are in communication withprocessor unit 204 through communications fabric 202. In thisillustrative example, the instructions are in a functional form onpersistent storage 208. These instructions may be loaded into memory 206for running by processor unit 204. The processes of the differentembodiments may be performed by processor unit 204 usingcomputer-implemented instructions, which may be located in a memory,such as memory 206. These program instructions are referred to asprogram code, computer usable program code, or computer readable programcode that may be read and run by a processor in processor unit 204. Theprogram instructions, in the different embodiments, may be embodied ondifferent physical computer readable storage devices, such as memory 206or persistent storage 208.

Program code 252 is located in a functional form on computer readablemedia 254 that is selectively removable and may be loaded onto ortransferred to data processing system 200 for running by processor unit204. Program code 252 and computer readable media 254 form computerprogram product 256. In one example, computer readable media 254 may becomputer readable storage media 258 or computer readable signal media260. Computer readable storage media 258 may include, for example, anoptical or magnetic disc that is inserted or placed into a drive orother device that is part of persistent storage 208 for transfer onto astorage device, such as a hard drive, that is part of persistent storage208. Computer readable storage media 258 also may take the form of apersistent storage, such as a hard drive, a thumb drive, or a flashmemory that is connected to data processing system 200. In someinstances, computer readable storage media 258 may not be removable fromdata processing system 200.

Alternatively, program code 252 may be transferred to data processingsystem 200 using computer readable signal media 260. Computer readablesignal media 260 may be, for example, a propagated data signalcontaining program code 252. For example, computer readable signal media260 may be an electro-magnetic signal, an optical signal, and/or anyother suitable type of signal. These signals may be transmitted overcommunication links, such as wireless communication links, an opticalfiber cable, a coaxial cable, a wire, and/or any other suitable type ofcommunications link. In other words, the communications link and/or theconnection may be physical or wireless in the illustrative examples. Thecomputer readable media also may take the form of non-tangible media,such as communication links or wireless transmissions containing theprogram code.

In some illustrative embodiments, program code 252 may be downloadedover a network to persistent storage 208 from another device or dataprocessing system through computer readable signal media 260 for usewithin data processing system 200. For instance, program code stored ina computer readable storage media in a data processing system may bedownloaded over a network from the data processing system to dataprocessing system 200. The data processing system providing program code252 may be a server computer, a client computer, or some other devicecapable of storing and transmitting program code 252.

The different components illustrated for data processing system 200 arenot meant to provide architectural limitations to the manner in whichdifferent embodiments may be implemented. The different illustrativeembodiments may be implemented in a data processing system includingcomponents in addition to, or in place of, those illustrated for dataprocessing system 200. Other components shown in FIG. 2 can be variedfrom the illustrative examples shown. The different embodiments may beimplemented using any hardware device or system capable of executingprogram code. As one example, data processing system 200 may includeorganic components integrated with inorganic components and/or may becomprised entirely of organic components excluding a human being. Forexample, a storage device may be comprised of an organic semiconductor.

As another example, a computer readable storage device in dataprocessing system 200 is any hardware apparatus that may store data.Memory 206, persistent storage 208, and computer readable storage media258 are examples of physical storage devices in a tangible form.

In another example, a bus system may be used to implement communicationsfabric 202 and may be comprised of one or more buses, such as a systembus or an input/output bus. Of course, the bus system may be implementedusing any suitable type of architecture that provides for a transfer ofdata between different components or devices attached to the bus system.Additionally, a communications unit may include one or more devices usedto transmit and receive data, such as a modem or a network adapter.Further, a memory may be, for example, memory 206 or a cache such asfound in an interface and memory controller hub that may be present incommunications fabric 202.

It is understood that although this disclosure includes a detaileddescription on cloud computing, implementation of the teachings recitedherein are not limited to a cloud computing environment. Rather,illustrative embodiments are capable of being implemented in conjunctionwith any other type of computing environment now known or laterdeveloped. Cloud computing is a model of service delivery for enablingconvenient, on-demand network access to a shared pool of configurablecomputing resources, such as, for example, networks, network bandwidth,servers, processing, memory, storage, applications, virtual machines,and services, which can be rapidly provisioned and released with minimalmanagement effort or interaction with a provider of the service. Thiscloud model may include at least five characteristics, at least threeservice models, and at least four deployment models.

The characteristics may include, for example, on-demand self-service,broad network access, resource pooling, rapid elasticity, and measuredservice. On-demand self-service allows a cloud consumer to unilaterallyprovision computing capabilities, such as server time and networkstorage, as needed automatically without requiring human interactionwith the service's provider. Broad network access provides forcapabilities that are available over a network and accessed throughstandard mechanisms that promote use by heterogeneous thin or thickclient platforms, such as, for example, mobile phones, laptops, andpersonal digital assistants. Resource pooling allows the provider'scomputing resources to be pooled to serve multiple consumers using amulti-tenant model, with different physical and virtual resourcesdynamically assigned and reassigned according to demand. There is asense of location independence in that the consumer generally has nocontrol or knowledge over the exact location of the provided resources,but may be able to specify location at a higher level of abstraction,such as, for example, country, state, or data center. Rapid elasticityprovides for capabilities that can be rapidly and elasticallyprovisioned, in some cases automatically, to quickly scale out andrapidly released to quickly scale in. To the consumer, the capabilitiesavailable for provisioning often appear to be unlimited and can bepurchased in any quantity at any time. Measured service allows cloudsystems to automatically control and optimize resource use by leveraginga metering capability at some level of abstraction appropriate to thetype of service, such as, for example, storage, processing, bandwidth,and active user accounts. Resource usage can be monitored, controlled,and reported providing transparency for both the provider and consumerof the utilized service.

Service models may include, for example, Software as a Service (SaaS),Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).Software as a Service is the capability provided to the consumer to usethe provider's applications running on a cloud infrastructure. Theapplications are accessible from various client devices through a thinclient interface, such as a web browser (e.g., web-based e-mail). Theconsumer does not manage or control the underlying cloud infrastructureincluding network, servers, operating systems, storage, or evenindividual application capabilities, with the possible exception oflimited user-specific application configuration settings. Platform as aService is the capability provided to the consumer to deploy onto thecloud infrastructure consumer-created or acquired applications createdusing programming languages and tools supported by the provider. Theconsumer does not manage or control the underlying cloud infrastructureincluding networks, servers, operating systems, or storage, but hascontrol over the deployed applications and possibly application hostingenvironment configurations. Infrastructure as a Service is thecapability provided to the consumer to provision processing, storage,networks, and other fundamental computing resources where the consumeris able to deploy and run arbitrary software, which can includeoperating systems and applications. The consumer does not manage orcontrol the underlying cloud infrastructure, but has control overoperating systems, storage, deployed applications, and possibly limitedcontrol of select networking components, such as, for example, hostfirewalls.

Deployment models may include, for example, a private cloud, communitycloud, public cloud, and hybrid cloud. A private cloud is a cloudinfrastructure operated solely for an organization. The private cloudmay be managed by the organization or a third party and may existon-premises or off-premises. A community cloud is a cloud infrastructureshared by several organizations and supports a specific community thathas shared concerns, such as, for example, mission, securityrequirements, policy, and compliance considerations. The community cloudmay be managed by the organizations or a third party and may existon-premises or off-premises. A public cloud is a cloud infrastructuremade available to the general public or a large industry group and isowned by an organization selling cloud services. A hybrid cloud is acloud infrastructure composed of two or more clouds, such as, forexample, private, community, and public clouds, which remain as uniqueentities, but are bound together by standardized or proprietarytechnology that enables data and application portability, such as, forexample, cloud bursting for load-balancing between clouds.

A cloud computing environment is service oriented with a focus onstatelessness, low coupling, modularity, and semantic interoperability.At the heart of cloud computing is an infrastructure comprising anetwork of interconnected nodes.

With reference now to FIG. 3, a diagram illustrating a cloud computingenvironment is depicted in which illustrative embodiments may beimplemented. In this illustrative example, cloud computing environment300 includes a set of one or more cloud computing nodes 310 with whichlocal computing devices used by cloud consumers, such as, for example,personal digital assistant or a smart phone 320A, desktop computer 320B,laptop computer 320C, and/or automobile computer system 320N, maycommunicate. Cloud computing nodes 310 may be, for example, server 104and server 106 in FIG. 1. Local computing devices 320A-320N may be, forexample, clients 110-114 in FIG. 1.

Cloud computing nodes 310 may communicate with one another and may begrouped physically or virtually into one or more networks, such asprivate, community, public, or hybrid clouds as described hereinabove,or a combination thereof. This allows cloud computing environment 300 tooffer infrastructure, platforms, and/or software as services for which acloud consumer does not need to maintain resources on a local computingdevice, such as local computing devices 320A-320N. It is understood thatthe types of local computing devices 320A-320N are intended to beillustrative only and that cloud computing nodes 310 and cloud computingenvironment 300 can communicate with any type of computerized deviceover any type of network and/or network addressable connection using aweb browser, for example.

With reference now to FIG. 4, a diagram illustrating abstraction modellayers is depicted in accordance with an illustrative embodiment. Theset of functional abstraction layers shown in this illustrative examplemay be provided by a cloud computing environment, such as cloudcomputing environment 300 in FIG. 3. It should be understood in advancethat the components, layers, and functions shown in FIG. 4 are intendedto be illustrative only and embodiments of the invention are not limitedthereto. As depicted, the following layers and corresponding functionsare provided.

Abstraction layers of a cloud computing environment 400 includeshardware and software layer 402, virtualization layer 404, managementlayer 406, and workloads layer 408. Hardware and software layer 402includes the hardware and software components of the cloud computingenvironment. The hardware components may include, for example,mainframes 410, RISC (Reduced Instruction Set Computer)architecture-based servers 412, servers 414, blade servers 416, storagedevices 418, and networks and networking components 420. In someillustrative embodiments, software components may include, for example,network application server software 422 and database software 424.

Virtualization layer 404 provides an abstraction layer from which thefollowing examples of virtual entities may be provided: virtual servers426; virtual storage 428; virtual networks 430, including virtualprivate networks; virtual applications and operating systems 432; andvirtual clients 434.

In one example, management layer 406 may provide the functions describedbelow. Resource provisioning 436 provides dynamic procurement ofcomputing resources and other resources, which are utilized to performtasks within the cloud computing environment. Metering and pricing 438provides cost tracking as resources are utilized within the cloudcomputing environment, and billing or invoicing for consumption of theseresources. In one example, these resources may comprise applicationsoftware licenses. Security provides identity verification for cloudconsumers and tasks, as well as protection for data and other resources.User portal 440 provides access to the cloud computing environment forconsumers and system administrators. Service level management 442provides cloud computing resource allocation and management such thatrequired service levels are met. Service level agreement (SLA) planningand fulfillment 444 provides pre-arrangement for, and procurement of,cloud computing resources for which a future requirement is anticipatedin accordance with an SLA.

Workloads layer 408 provides examples of functionality for which thecloud computing environment may be utilized. Example workloads andfunctions, which may be provided by workload layer 408, may includemapping and navigation 446, software development and lifecyclemanagement 448, virtual classroom education delivery 450, data analyticsprocessing 452, transaction processing 454, and real-time monitoringalert processing 456.

In the course of developing illustrative embodiments, it was discoveredthat it is unacceptable to receive a monitoring alert regarding anoccurrence of a critical component failure within a cloud environmentand hold that critical alert in an alert management system while waitingfor more monitoring data from other monitoring agents in order togenerate a complete root cause failure graph corresponding to the cloudenvironment. For example, imagine a chain of dependent alerts wherealert B may be caused by alert A and alert C and alert C may be causedby alert D. However, all four of the monitoring agents corresponding tothese four alerts are running on different metric collection timeintervals. For example, alert A at current time interval A3 and alert Cat current time interval C2 are triggered at approximately a same timeand are received by the alert management system. However, becausedifferent metric collection time intervals exists for the differentmonitoring agents, the alert management system is not able to determineif cloud components corresponding to alert B at future time interval B2and alert D at future time interval D2 are experiencing problems, suchas a fault. As a result, the alert management system has a dilemma. Forexample, if the alert management system sends out an alert notificationwith the alert chain of A-C-B-D, potential false alerting exists for thecloud components corresponding to alerts B and D since the currentstatus of these cloud components corresponding to alerts B and D has notbeen ascertained as the metric collection time intervals have not beenreached yet. Alternatively, if the alert management system waits for themetric collection time intervals for the monitoring agents correspondingto alerts B and D to be reached, metrics for the cloud componentscollected, and alert chain generated before sending out the alertnotification, then the alert management system may miss immediatelysending out a critical alert (e.g., alert A) because the alertmanagement waited for more metrics to be collected and processed.

Illustrative embodiments generate raw alerts corresponding to componentswithin a cloud environment to produce accurate root cause alert chainsin real-time. The real-time root cause alert chains provide feedback foroptimizing a root cause dependency tables and dynamically adjustingmetric threshold values corresponding to monitored metrics within thecloud environment to produce more accurate alerts.

Illustrative embodiments utilize a cloud monitoring component to collectmetrics from monitoring agents corresponding to the components withinthe cloud environment and generate the raw alerts based on one or morecollected performance metrics meeting or exceeding defined metricthreshold values. Illustrative embodiments utilize an analysis engine toanalyze these generated raw alerts using a root cause dependency tableand determine whether one or more monitoring agents in the cloudenvironment need to perform a real-time monitoring event (i.e., collectcurrent real-time data corresponding to certain cloud components). Forexample, if the analysis engine has not received one or more alerts in adependency alert chain, then the analysis engine sends a monitoringevent request to an alert engine.

The alert engine then instructs one or more particular monitoring agentsin the cloud environment, which correspond to the one or more dependentalerts not yet received, to collect and send the current real-time data.After receiving the current real-time data from these particularmonitoring agents, the analysis engine then has all of the real-timealerts in the dependency root cause alert chain. The analysis enginesends the dependent root cause alert chain to the alert engine andinstructs the alert engine to send the dependency root cause alert chainto an alerting component.

The alerting component sends the dependency root cause alert chain toone or more system administrators via email, page, and/or real-timemessaging. The analysis engine also sends the dependent root cause alertchain to an optimizer engine. The optimizer engine may, for example,dynamically adjust defined metric threshold values, adjust theconfiguration of monitoring agents to reduce duplicated or known alertsin terms of reducing the monitoring load on the cloud monitoringcomponent and reducing alert noise, disable certain monitoring agents,update the existing root cause dependency table with current alertdependencies, or any combination thereof.

Thus, illustrative embodiments reduce the number of alerts and helpsystem administrators to focus on the real problems in the cloudenvironment. It should be noted that illustrative embodiments mayreceive alerts corresponding to different layers of the cloudenvironment, such as, for example, a network layer, an infrastructurelayer, a storage layer, a platform layer, an application layer, aservice layer, and the like. Furthermore, it should be noted thatillustrative embodiments initially generate the root cause dependencytable based on a multitude of historical alert data.

In contrast with existing alert management systems, illustrativeembodiments not only chain dependent alerts based on generated rawalerts, illustrative embodiments also proactively retrieve additionalmetric data based on the root cause dependency table to determine theroot cause of the alerts in the chain. Further, in contrast withexisting alert management system, illustrative embodiments dynamicallyadjust configurations of monitoring agents to generate more accuratealerts.

With reference now to FIG. 5, a diagram illustrating an example of analert management system is depicted in accordance with an illustrativeembodiment. Alert management system 500 may be implemented in a networkof data processing systems, such as network data processing system 100in FIG. 1, or a cloud computing environment, such as cloud computingenvironment 300 in FIG. 3. Alert management system 500 is a system ofhardware and software components for managing real-time cloudenvironment component monitoring alerts in a chain of alerts, analyzingalerts in the chain to determine a root cause of the alerts havingdependent alert relationships, and optimizing a root cause dependencytable and monitoring agents corresponding to the cloud environment basedon the analysis of the root cause alert chain.

In this example, alert management system 500 includes server computer502 and cloud environment 504. Server 502 may be, for example, server104 in FIG. 1, data processing system 200 in FIG. 2, or a cloudcomputing node in cloud computing nodes 310 in FIG. 3. Server computer502 includes monitoring component 506, alert root cause analysiscomponent 508, and alerting component 510. Monitoring component 506,alert root cause analysis component 508, and alerting component 510 maybe, for example, monitoring component 220, alert root cause analysiscomponent 222, and alerting component 224 in FIG. 2.

Monitoring component 506 utilizes metrics collector 512 to retrieveperformance metrics corresponding to cloud components within cloudenvironment 504 from monitoring agents 514. It should be noted thatdifferent monitoring agents 514 collect different cloud componentperformance metrics at different metric collection time intervals.Metrics collector 512 compares the received performance metrics againstthresholds 516. Thresholds 516 represent a plurality of different metricthreshold values corresponding to different performance metrics.

In response to metrics collector 512 determining that receivedperformance metrics meet or exceed thresholds 516, metrics collector 512generates raw alerts 518. In addition, metrics collector 512 may storethe received performance metrics and raw alerts 518 in database 520 forlater reference and analysis. Subsequently, metrics collector 512 sendsraw alerts 518 to analysis engine 522.

Analysis engine 522 utilizes root cause dependency table 524 to analyzeraw alerts 518 to determine whether dependent alerts corresponding toraw alerts 518 have not yet been received (e.g., the metric collectionintervals corresponding to these dependent alerts have not been reachedyet). After analysis engine 522 determines that the metric collectionintervals corresponding to these dependent alerts have not been reachedyet, analysis engine 522 sends a request to alert engine 526 to collectcurrent real-time performance metrics from particular monitoring agentsin monitoring agents 514 corresponding to the dependent alerts not yetreceived.

After analysis engine 522 receives raw alerts from metric collector 512regarding the current real-time performance metrics from the particularmonitoring agents corresponding to the dependent alerts, analysis engine522 generates root cause alert chain 528. Analysis engine 522 sends rootcause alert chain 528 to alert engine 526 and, in turn, alert engine 526forwards root cause alert chain 528 to alerting component 510. Alertingcomponent 510 sends root cause alert chain 528 in an alert to one ormore system administrators via one or more of page 532, email 534, andreal-time message 536.

Analysis engine 522 also sends root cause alert chain 528 to optimizerengine 530. Optimizer engine 530 analyzes root cause alert chain 528 todiscover current alert dependencies. Based on the discovered currentalert dependencies, optimizer engine 530 updates root cause dependencytable 524 and adjusts thresholds 516.

With reference now to FIG. 6, a sequence diagram illustrating a processfor managing real-time monitoring alerts is shown in accordance with anillustrative embodiment. Sequence diagram 600 may be implemented in analert management system, such as alert management system 500 in FIG. 5.Sequence diagram 600 shows an example sequence of events correspondingto monitoring component 602, analysis engine 604, dependency table 606,alert engine 608, optimizer engine 610, and alerting component 612.Monitoring component 602, analysis engine 604, dependency table 606,alert engine 608, optimizer engine 610, and alerting component 612 maybe, for example, monitoring component 506, analysis engine 522, rootcause dependency table 524, alert engine 526, optimizer engine 530, andalerting component 510 in FIG. 5.

At 614, monitoring component 602 sends raw alerts to analysis engine604. Analysis engine 604 checks for alert dependencies at 616 usingdependency table 606. Based on information obtained during the alertdependency check performed at 616, analysis engine 604 sends a requestfor more metric information at 618 to alert engine 608. In turn, alertengine 608 forwards the request for more metric information at 620 tomonitoring component 602.

At 622, monitoring component 602 collects the requested additionalmetric information from monitoring agents and sends the requestedadditional metrics to analysis engine 604. At 624, analysis engine 604analyzes the requested additional metrics to determine whether therequested additional metrics trigger one or more additional raw alerts.Based on the analysis performed at 624, the analysis engine sends agenerated root cause alert chain at 626 to optimizer engine 610 forlearning alert dependencies within an alert chain.

At 628, optimizer engine 610 optimizes monitoring component 602 by, forexample, adjusting one or more metric threshold values, reconfiguringone or more monitoring agents, disabling one or more monitoring agents,and the like. In addition, optimizer engine 610 sends an optimizationinstruction to analysis engine 604 at 630. At 632, analysis engine 604sends the generated root cause alert chain to alert engine 608. In turn,alert engine 608 sends the generated root cause alert chain at 634 toalerting component 612 for alerting one or more system administratorsvia email, page, and/or real-time messaging, for example.

With reference now to FIG. 7, a diagram illustrating an example of alertrelationships is shown in accordance with an illustrative embodiment.Alert relationships 700 represent relationships between dependent alertsfound in a root cause dependency table, such as root cause dependencytable 524 in FIG. 5. Alert relationships 700 include alerts 702. Metriccollection time intervals 704 represent the different metric collectiontime intervals corresponding to alerts 702.

In this example, alerts 702 include alert A 706, alert B 708, alert C710, and alert D 712. Also in this example, the metric collection timeintervals for alert A 706 are A1 to A8, the metric collection timeintervals for alert B 708 are B1 to B3, the metric collection timeintervals for alert C 710 are C1 to C4, and the metric collection timeintervals for alert D 712 are D1 to D2 for the example time periodshown.

In this example, when a metrics collector, such as metrics collector 512in FIG. 5, triggers alert A at current metric collection time intervalA3 714 and alert C at current metric collection time interval C2 716, ananalysis engine, such as analysis engine 522 in FIG. 5, may determinethat the cloud environment components corresponding to alert B 708 andalert D 712 are encountering issues or problems. However, monitoringagents, such as monitoring agents 514 in FIG. 5, corresponding to thesecloud environment components have different metric collection timeintervals. In other words, the metrics collector has not yet receivedmetrics for these cloud environment components corresponding to alert B708 and alert D 712 and, therefore, the metrics collector cannotgenerate alert B 708 and/or alert D 712. The future metric collectiontime intervals corresponding to alert B 708 and alert D 712 are B2 718and D2 720, respectively. As a result, the analysis engine does not knowthe current status of the cloud components corresponding to alert B 708and alert D 712. Consequently, a system administrator receiving anotification from the analysis engine at this time would not knowwhether alert A 706 and alert C 710 are caused by alert B 708 or whetheralert D 712 is affected by alert C 710.

Thus, the analysis engine proactively requests current real-time metricsfrom the monitoring agents corresponding to alert B 708 and alert D 712before the defined metric collection time intervals (i.e., B2 718 and D2720) for these monitoring agents to determine the status of the cloudcomponents associated with these monitoring agents. Then, the analysisengine determines what the root cause of alerts A 706 and C 710 arebased on the current status of the cloud components corresponding toalert B 708 and alert D 712, respectively. Afterward, the analysisengine generates a root cause alert chain, such as root cause alertchain 528 in FIG. 5, corresponding to the root cause of the alerts.During this analysis process, the analysis engine determines whether onealert is caused one or more other alerts, whether one alert is caused byone or more prior alerts, whether several different alerts correspond tothe same cloud component problem, and the like.

Then, the analysis engine sends the generated root cause alert chain toan optimizer engine, such as optimizer engine 530 in FIG. 5. Theoptimizer engine determines how to optimize the monitoring agents basedon the root cause alert chain. For example, the optimizer engine maydisable monitoring agents that are triggering duplicate alerts or maychange criteria (e.g., thresholds) of alert settings. As a result, theoptimizer engine may increase the performance of a server computer, suchas server computer 502 in FIG. 5, by decreasing the number of alertsprocessed by the server and by decreasing the amount of alert noisecorresponding to the cloud environment, such as cloud environment 504 inFIG. 5. Further, the optimizer engine optimizes the root causedependency table by updating the root cause dependency table to reflectthe current dependent relationships between generated alerts and theircorresponding dependent alerts.

In addition, the analysis engine sends the root cause alert chain to analert engine, such as alert engine 526 in FIG. 5. In turn, the alertengine sends the root cause alert chain to the alerting component, suchas alerting component 510 in FIG. 5, to inform system administratorsthat certain cloud environment components are encountering issues. Thesystem administrators will then analyze the root cause alert chain toresolve issues and problems within the cloud environment. Also, itshould be noted that the server computer, itself, may resolve issueswithin the cloud environment based on the generated root cause alertchain as well.

With reference now to FIGS. 8A-8B, a flowchart illustrating a processfor managing real-time monitoring alerts is shown in accordance with anillustrative embodiment. The process shown in FIGS. 8A-8B may beimplemented in a computer, such as, for example, server 104 in FIG. 1 ordata processing system 200 in FIG. 2.

The process begins when the computer receives a set of metricscorresponding to a set of cloud environment components from a set ofmonitoring agents associated with the set of cloud environmentcomponents (step 802). Afterward, the computer makes a determination asto whether one or more metrics in the set of metrics are greater than orequal to defined metric threshold values corresponding to respectivemetrics in the set of metrics (step 804). If the computer determinesthat none of the metrics in the set of metrics are greater than or equalto defined metric threshold values corresponding to respective metricsin the set of metrics, no output of step 804, then the process returnsto step 802 where the computer continues to receive metrics from the setof monitoring agents. If the computer determines that one or moremetrics in the set of metrics are greater than or equal to definedmetric threshold values corresponding to respective metrics in the setof metrics, yes output of step 804, then the computer generates an alertfor the one or more metrics exceeding or meeting corresponding definedmetric threshold values (step 806).

Further, the computer retrieves a root cause dependency table showingrelationships between dependent alerts within a cloud environment thatcontains the set of cloud environment components (step 808).Subsequently, the computer makes a determination as to whether currentreal-time metrics are needed from one or more monitoring agents of theset of monitoring agents that correspond to dependent alerts not yettriggered in an alert chain of the generated alert based on informationin the root cause dependency table (step 810). If the computerdetermines that no current real-time metrics are needed based on theinformation in the root cause dependency table, no output of step 810,then the process proceeds to step 828. If the computer determines thatcurrent real-time metrics are needed from one or more monitoring agentsof the set of monitoring agents that correspond to dependent alerts notyet triggered in an alert chain of the generated alert based on theinformation in the root cause dependency table, yes output of step 810,then the computer requests the current real-time metrics from the one ormore monitoring agents that correspond to the dependent alerts not yettriggered in the alert chain (step 812).

Afterward, the computer receives the current real-time metrics from theone or more monitoring agents corresponding to the dependent alerts notyet triggered in the alert chain (step 814). Then, the computer makes adetermination as to whether the current real-time metrics trigger thedependent alerts in the alert chain (step 816). If the computerdetermines that the current real-time metrics do trigger the dependentalerts in the alert chain, yes output of step 816, then the computergenerates a root cause alert chain corresponding to the generated alertand the dependent alerts (step 818).

Furthermore, the computer updates, the root cause dependency table toinclude current alert dependencies based on the generated root causealert chain (step 820). Moreover, the computer adjusts a configurationof the one or more monitoring agents in the set of monitoring agents andthe corresponding defined metric threshold values based on the generatedroot cause alert chain to optimize metric collection (step 822). Inaddition, the computer sends a root cause alert chain alert thatcontains the root cause alert chain to a system administrator forfurther analysis (step 824). The computer also corrects problemsassociated with the cloud environment components corresponding totriggered alerts (step 826). Thereafter, the process terminates.

Returning again to step 816, if the computer determines that the currentreal-time metrics do not trigger the dependent alerts in the alertchain, no output of step 816, then the computer processes the generatedalert (step 828). Further, the computer sends the processed alert to asystem administrator for further analysis (step 830). Thereafter, theprocess returns to step 826 where the computer corrects problemscorresponding to triggered alerts.

Thus, illustrative embodiments of the present invention provide acomputer-implemented method, computer system, and computer programproduct for managing real-time cloud environment component monitoringalerts in a chain of alerts, analyzing alerts in the chain to determinea root cause of the alerts having dependent alert relationships, andoptimizing a root cause dependency table and a monitoring componentcorresponding to the cloud environment based on the analysis of the rootcause alert chain. The descriptions of the various embodiments of thepresent invention have been presented for purposes of illustration, butare not intended to be exhaustive or limited to the embodimentsdisclosed. Many modifications and variations will be apparent to thoseof ordinary skill in the art without departing from the scope and spiritof the described embodiments. The terminology used herein was chosen tobest explain the principles of the embodiments, the practicalapplication or technical improvement over technologies found in themarketplace, or to enable others of ordinary skill in the art tounderstand the embodiments disclosed herein.

1-9. (canceled)
 10. A computer system for managing real-time monitoringalerts, the computer system comprising: a bus system; a storage deviceconnected to the bus system, wherein the storage device stores programinstructions; and a processor connected to the bus system, wherein theprocessor executes the program instructions to: generate an alert forone or more metrics exceeding corresponding defined metric thresholdvalues; retrieve a root cause dependency table showing relationshipsbetween alerts; determine whether current real-time metrics are neededfrom one or more monitoring agents that correspond to dependent alertsnot triggered in an alert chain of the generated alert based oninformation in the root cause dependency table; and request the currentreal-time metrics from the one or more monitoring agents that correspondto the dependent alerts not triggered in the alert chain in response todetermining that the current real-time metrics are needed from the oneor more monitoring agents that correspond to the dependent alerts nottriggered in the alert chain of the generated alert based on theinformation in the root cause dependency table.
 11. The computer systemof claim 10, wherein the processor further executes the programinstructions to: determine whether the current real-time metrics triggerthe dependent alerts in the alert chain; and generate a root cause alertchain corresponding to the generated alert and the dependent alerts inresponse to determining that the current real-time metrics trigger thedependent alerts in the alert chain.
 12. The computer system of claim11, wherein the processor further executes the program instructions to:process the generated alert in response to determining that the currentreal-time metrics do not trigger the dependent alerts in the alertchain; and send the generated alert to a system administrator.
 13. Thecomputer system of claim 11, wherein the generated root cause alertchain identifies current alert dependencies and their correspondingmetric collection time sequences.
 14. A computer program product formanaging real-time monitoring alerts, the computer program productcomprising a computer readable storage medium having programinstructions embodied therewith, the program instructions executable bya computer to cause the computer to perform a method comprising:generating, by the computer, an alert for one or more metrics exceedingcorresponding defined metric threshold values; retrieving, by thecomputer, a root cause dependency table showing relationships betweenalerts; determining, by the computer, whether current real-time metricsare needed from one or more monitoring agents that correspond todependent alerts not triggered in an alert chain of the generated alertbased on information in the root cause dependency table; and responsiveto the computer determining that the current real-time metrics areneeded from the one or more monitoring agents that correspond to thedependent alerts not triggered in the alert chain of the generated alertbased on the information in the root cause dependency table, requesting,by the computer, the current real-time metrics from the one or moremonitoring agents that correspond to the dependent alerts not triggeredin the alert chain.
 15. The computer program product of claim 14 furthercomprising: determining, by the computer, whether the current real-timemetrics trigger the dependent alerts in the alert chain; and responsiveto the computer determining that the current real-time metrics triggerthe dependent alerts in the alert chain, generating, by the computer, aroot cause alert chain corresponding to the generated alert and thedependent alerts.
 16. The computer program product of claim 14 furthercomprising: responsive to the computer determining that the currentreal-time metrics do not trigger the dependent alerts in the alertchain, processing, by the computer, the generated alert; and sending, bythe computer, the generated alert to a system administrator.
 17. Thecomputer program product of claim 14, wherein the generated root causealert chain identifies current alert dependencies and theircorresponding metric collection time sequences.
 18. The computer programproduct of claim 17 further comprising: updating, by the computer, theroot cause dependency table to include the current alert dependenciesbased on the generated root cause alert chain.
 19. The computer programproduct of claim 17 further comprising: adjusting, by the computer, aconfiguration of the one or more monitoring agents and the correspondingdefined metric threshold values based on the generated root cause alertchain to optimize metric collection.
 20. The computer program product ofclaim 17 further comprising: sending, by the computer, a root causealert chain alert that contains the generated root cause alert chain toa system administrator.